Developers, your security warnings are messing with people’s brains, and not in a good way.

In fact, given the poor timing of security warnings popping up, most people – we’re talking about up to 87% in some cases – ignore them.

Ignore, as in, researchers have found that scarcely any brain activity shows up when they measured test subjects via FMRI (functional magnetic resonance imaging) as security warnings interrupted those subjects while they were trying to do other things, such as input their login or enter a validation code.

The conclusion comes from a paper published in an Institute for Operations Research and the Management Sciences (INFORMS) journal on Thursday by researchers from Brigham Young University in Utah and the University of Pittsburgh in Pennsylvania.

The problem, more or less, is one of systems fatigue, the researchers said. As it is, “System-generated alerts are ubiquitous in personal computing,” as well as in our proliferating mobile devices.

Those systems are there to help users by providing timely information designed to protect us, but the researchers found that they come at a “high cost in terms of increased stress and decreased productivity.”

That’s due to what’s called dual-task interference (DTI), a “cognitive limitation in which even simple tasks cannot be simultaneously performed without significant performance loss.”

In other words, multitasking.

It’s important to understand when, exactly, security warnings are heeded and when they’re ignored, the researchers said, because not heeding such alerts can introduce critical vulnerabilities in information security and privacy.

Research has already established that when trying to do multiple tasks, people’s performance sags, even when the tasks are neither physically incompatible with each other nor intellectually challenging.

As it is, there are some security alerts that demand immediate attention, such as browser SSL warnings, and others that don’t, including alerts about software updates, backups, and malware scan notifications.

Medial temporal lobe, we’re blaming this on you. Known as the MTL, this brain region is associated with what’s called long-term declarative memory, which is what we use to store information over long periods of time – longer than 15 to 30 seconds – without constantly repeating it to remember.

That’s the spot in our brain where security training, even very recent training, lives.

High DTI means we can’t meet the demands of multiple tasks in that part of our brains. It turns into a bottleneck.

The higher the DTI, the less the brain can spare time and effort for security alerts.

To test their hypotheses, they had participants respond to some security warnings that interrupted something else they’d been doing – a primary task – and some that didn’t interrupt.

The primary task in their tests was to have participants memorize or encode a 7-digit code. The researchers gave their subjects a short time to “rehearse” the code – i.e., repeat it until they had it down – and then asked them to recall it.

They chose this task because it mimics what we have to do on the computer: use our working memory to do things like read a web page or search for information, for example. (Working memory calls on MTL brain regions).

Percentage of disregard for each condition (ranked from lowest to highest DTI)

Low-DTI: Waiting for page load – 22.11% disregarded

Low-DTI: While processing – 24.47% disregarded

Low-DTI: After video – 43.75% disregarded

Low-DTI: On first page load – 44.79% disregarded

Low-DTI: Switching domains – 46.32% disregarded

High-DTI: On the way to close window – 74.47% disregarded

High-DTI: While typing – 77.89% disregarded

High-DTI: During video – 79.38% disregarded

High-DTI: While transferring information – 87.23% disregarded

The takeaway? Do not interrupt people on YouTube or when they’re inputting something!

In a nutshell, this is the researchers’ recommendation for…

How to issue alerts that don’t get ignored

Present security warnings at low-DTI times. You can figure out what those times are by using mouse cursor tracking, for example.

From the paper:

Our findings suggest that although alerts are pervasive in personal computing, they should be bounded in their presentation. The timing of interruptions strongly influences the occurrence of DTI in the brain, which in turn substantially impacts alert disregard.

Post navigation

About the author

Lisa has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. Alongside Naked Security Lisa has written for CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output.

10 comments on “Why people ignore security alerts up to 87% of the time”

The problem for most people must be how do I identify a genuine alert or a scam? Unless I am as sure as I can be of its validity I ignore them as well. “You have malware on your computer – click here to remove it.’ Most users wouldn’t touch it with a barge pole but how do non savvy people respond? I only respond to warnings from my antivirus program, any other warnings I can’t identify but may need investigating I just close any programs and run a malware and antivirus scan. Not always, but mostly, scams can be spotted in the wording and phraseology.

Pet peeve: alert that says browser can’t verify the certificate of a site. Most of the time, it is just a lack of updated info, but in order to get to that site, I must ignore the alert or switch browsers. So it is teaching me to ignore alerts.

Those Futurama writers were so, *so* SO brilliant. Incisive social commentary on human behavior mixed with current (or archaic) pop culture references, contextually seamless and relevant to the point where each episode must receive repeat viewings to notice all of them.